Configuring syslog on ESXi
search cancel

Configuring syslog on ESXi

book

Article ID: 318939

calendar_today

Updated On:

Products

VMware vSphere ESXi

Issue/Introduction

VMware ESXi hosts run a Syslog service (vmsyslogd) that provides a standard mechanism for logging messages from the VMkernel and other system components. By default in ESXi, these logs are placed on a local scratch volume or a ramdisk. To preserve the logs further, ESXi can be configured to place these logs to an alternate storage location on disk and to send the logs across the network to a Syslog server.

Retention, rotation, and splitting of logs received and managed by a Syslog server are fully controlled by that Syslog server. ESXi cannot configure or control log management on a remote Syslog server. Additionally, forwarding specific log files (e.g. hostd.log or vmkernal.log) to the Syslog server is unsupported. For more information, see the documentation for that specific Syslog server.

Environment

  • VMware vSphere ESXi 6.x 
  • VMware vSphere ESXi 7.x 
  • VMware vSphere ESXi 8.x
  • VMware vSphere ESX 9.x

Resolution

There are five configurable ESXi Advanced Options:

  • Syslog.global.logDir
    • This setting sets the location on a local or remote datastore (VMFS, NFS, FAT) and path where logs should be saved to.
    • Has the format [DatastoreName] DirectoryName which maps to /vmfs/volumes/<DatastoreName>/<DirectoryName>/.
    • For ESXi 6.7 and later versions, the log directory must exist before configuring the global logging dir parameter. If the folder specified as <DirectoryName> does not exist, configuring Syslog.global.logDir parameter will fail with "Internal error" in the UI and "Logdir must exist and be a directory" error message in log file ESXi - /var/run/log/hostd.log.
    • If /scratch is defined, the default is []/scratch/log. For more information on scratch, see Creating a persistent scratch location for ESXi 8.x/7.x/6.x
  • Syslog.global.logHost -
    • This setting is a comma-delimited list of remote servers where logs are sent using the syslog protocol.
    • If the logHost field is blank, no logs are forwarded.
    • Include the protocol and port, similar to:
      • tcp://hostname:514
      • udp://hostname:514
      • ssl://hostname:1514.
  • Syslog.global.logDirUnique -
    • This boolean option setting controls whether a host-specific directory is created within the configured logDir.
    • The default value is false.
    • The directory name is the hostname of the ESXi host. A unique directory is useful if the same shared directory is used by multiple ESXi hosts.
  • Syslog.global.defaultRotate -
    • This setting controls the maximum number of log files to keep locally on the ESXi host in the configured logDir.
    • The default value is 8.
    • This setting does not affect the remote syslog server retention.
  • Syslog.global.defaultSize
    • This setting sets the maximum size, in kilobytes, of each local log file before it is rotated.
    • The default value is 1024 KB.
    • This setting does not affect the remote syslog server retention.
    • For more information on sizing, see ESXi Syslog Options.

Note: To individually set the options for system components such as auth, hostd etc., select the loggers under syslog from the vSphere client GUI in Advanced System Settings, and set to desired value (e.g. for hostd, Syslog.loggers.hostd.rotate and Syslog.loggers.hostd.size).

Configuring Local and Remote Logging using the esxcli command

Local and remote syslog functionality can be configured for a host using the esxcli command line utility, which can be used at the console of an ESXi host, in the vCLI, or in the vMA.

  1. Open a ESXi shell console session where the esxcli command is available, such as the vCLI or on the ESXi host directly.
  2. Display the existing five configuration options on the host:
    esxcli system syslog config get
  3. Set new host configuration, specifying options to change:
    esxcli system syslog config set --logdir=/path/to/vmfs/directory/ --loghost=RemoteHostname --logdir-unique=true|false --default-rotate=NNN --default-size=NNN

    Example
    • To configure the remote syslog using TCP on port 514:
      esxcli system syslog config set --loghost='tcp://<syslog_server_IPv4>:514'
    • To remove the remote syslog:
      esxcli system syslog config set --reset=loghost
  4. After making configuration changes, load the new configuration:
    esxcli system syslog reload
  5. Test if the port is reachable from the ESXi host:
    nc -z <RemoteHostname> 514

    Example
    nc -z 10.11.12.13 514

Configuring Local and Remote logging using Host Profiles

Local and remote syslog functionality can be configured for a cluster of similar hosts using Host Profiles. For more information, see Set Up Syslog from the Host Profiles Interface

  1. Connect to vCenter Server using the vSphere Client.
  2. Click Home.
  3. Under the Management section, click Host Profiles.
  4. Create a new profile or edit an existing profile.
  5. In the Edit Profile dialog, set one or more of the five configuration options.
    • If syslog has been configured using esxcli or advanced configuration options and captured this as a reference host, the 5 configuration options are already visible under the Advanced Configuration option section.
    • If syslog has not been previously configured, right-click the Advanced Configuration options section and add a profile for each of the five configuration options.
  6. Save the profile and assign it to hosts.

Configuring Local and Remote logging using Host Profiles using vSphere Web Client

  1. Connect to vCenter Server using vSphere Web Client.
  2. Click Home.
  3. Under Operations and Policies section, click Host Profiles.
  4. Create a new profile or edit an existing profile.
  5. In the Edit Profile dialog, set one or more of the five configuration options.
  6. Save the profile and assign it hosts.

Configuring Local and Remote Logging using ESXi Advanced Configuration options

Local and remote syslog functionality can be configured for a host using advanced configuration options, which can be set using the vSphere Client, vSphere Web Client, PowerCLI, or vCLI.

This configuration cannot be performed using the local console's esxcfg-advcfg command. For more information on setting advanced configuration options using each method, see Configuring advanced options for ESXi/ESX.

Note: If the ESXi host loses communication with the remote syslog server, logging is no longer pushed to the syslog server. This can be confirmed by reviewing the ESXi - /var/log/.vmsyslogd.err file and confirming the log message "failed to write log" error. Nothing is sent to the remote syslog server until the syslogd service is restarted.

Additional Information

Configuring ESXi Firewall Exception using the esxcli command/syslog port:

Note: It may be required to manually open the firewall rule set for syslog when redirecting logs. 
  • To open outbound traffic through the ESXi Firewall on UDP port 514 and TCP ports 514 and 1514:
    esxcli network firewall ruleset set --ruleset-id=syslog --enabled=true
    esxcli network firewall refresh
  • To test if the syslog server is receiving messages from ESXi host:
    esxcli system syslog mark --message "Syslog Test Message" 
Additionally, find the TCP port requirements for ESXi in Port requirements for ESXi.

With ESXi 8.0 Update 2b, when configuring syslog remote hosts, or loghosts, with non-standard ports, the vmsyslogd service automatically creates persistent dynamic firewall rules. It is no longer needed to manually open the firewall at ports that are different from the default 514 for TCP/UDP and 1514 for SSL protocols respectively. When configuring remote hosts with the standard ports, it is still required to enable the syslog firewall ruleset.

Refer to VMware ESXi 8.0 Update 2b Release Notes.

Example

esxcli system syslog config set --loghost=tcp://#.#.#.#:12345
esxcli network firewall ruleset rule list | grep dynamic

Note: For versions prior to ESXi 8.0 U2b, if a custom syslog port is needed, the method for opening the port is to use a partner-created VIB. See Creating custom firewall rules in VMware ESXi is not supported for more information.